The Data (Use and Access) Act 2025 Is Here: Are You Ready For It?

On 19 June 2025, the Data (Use and Access) Bill received Royal Assent having passed through both Houses of Parliament on 11 June 2025.

The Act is a key development in UK data protection law but does not overhaul the current regime on a wholesale scale. Instead, the Act supplements and amends the UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR) in various specific areas. Organisations should take care to understand the updated requirements on them and make necessary adjustments.

The Information Commissioner’s Office (ICO) has published information to support organisations on the changes, including an outline of what the Act means for organisations and a detailed summary of the changes for data protection experts. 

We set out further information on some key provisions of the Data (Use and Access) Act 2025 below.

When do the changes come into effect?

Whilst the Act is already in force, implementation of the Act (including on changes to the UK GDPR and PECR) will be phased by the government, commencing different changes using secondary legislation and Provisions are expected to come into force within the next two to 12 months, giving organisations a period of time to prepare for compliance.

How did we get here?

The Bill replaced the Data Protection and Digital Information Bill (DPDI) introduced by the previous government. The Data (Use and Access) Act has had a long route to get to this stage with the Bill going back and forth between the House of Commons and House of Lords for months. The most contentious provisions in the Bill related to a controversial amendment in connection with copyright and AI. Ultimately, this amendment was not adopted in the final text of the Act.

What is the Act?

The Act addresses a diverse range of topics related to the use of and access to data, and is not limited to just personal data. In this briefing we discuss its key changes to the UK GDPR and PECR, as these will be of general importance for all organisations required to comply with UK data protection legislation. The Act also includes provisions, amongst other things, on:

• Data access requirements – Whilst businesses may be familiar with data subject access requests and requests for portability of personal data, the Act enables secondary legislation to be made that could give individuals access rights for other types of data e.g. on the performance or quality of goods or services sold by a business. Such rules may become significant if introduced, and we will continue to "watch this space".
• Digital verification – Certain businesses may be subject to new rules on the provision of digital verification services (DVS) – broadly online services that allow an individual to be identified at their request without needing to provide physical documentation. These include a requirement for the Secretary of State to publish a DVS trust framework including rules regulating the conduct of providers of such services, which may be supported by additional supplementary codes. A DVS register will also be established, which will allow persons on that register to receive personal information related to an individual from public authorities to allow them to provide digital verification services to that individual, and allow those persons to use a "trust mark".
• Information Commission – Establishing the Information Commission (IC) to replace the Information Commissioner’s Office (ICO) – this is largely a procedural change but the Act does introduce some new duties on the regulator such as to have regard to the desirability of promoting innovation and competition where relevant in carrying out its functions.

What are the impacts for the UK GDPR and PECR?

• GDPR level fines for PECR breaches -. The IC – which will replace the ICO – will have enhanced powers to enforce the PECR. Notably, it will have the power to apply maximum fines of £17.5m or 4% of annual turnover, whichever is higher, for breaches of the PECR rules, including on cookies. These fines will align with potential fines for breaches of the UK GDPR. This is significantly higher than the fine limit prior to implementation of the Act of £500,000 for PECR breaches, and is likely to be significant given that PECR compliance is currently a significant area of regulatory scrutiny.
• Cookies - Under current rules opt-in consent must be obtained for the use of cookies, other than cookies that are strictly necessary for functionality. Under new rules opt-in consent will additionally not be required for cookies that collect information for statistical purposes, or that enhance the appearance or functionality of a website or allow its appearance or functionality to adapt to user preferences, if they meet certain conditions. Information on these cookies, and an opt-out in respect of these cookies, must however still be provided.
• Data Subject Access Requests (DSARs) - Organisations responding to DSARs may obtain greater flexibility in how they respond. In particular, organisations may only be under an obligation to conduct a reasonable and proportionate search for personal data in order to respond to a request. They may also be able to "stop the clock" for responding to requests in certain circumstances, including where they reasonably require further information in order to identify the information or processing activities to which a DSAR relates.
• Data protection complaints - The Act includes enhanced procedures to benefit data subjects making complaints. These include requirements to facilitate data subject complaints, for example by providing an online complaint form, and to ensure that complaints are appropriately investigated. As a result, controllers of personal data may be required in practice to have procedures to handle complaints that data subjects make alleging an infringement of the UK GDPR, in addition for procedures for dealing with DSARs.
• Legitimate interests - The Act may simplify determining whether a business can rely on a legitimate interest to lawfully process personal data for a particular purpose:
  • It introduces a new concept of "recognised legitimate interests". If processing is being carried out for certain purposes specified in the Act, such as the prevention of crime or safeguarding, then such interests cannot be overridden by the rights and freedoms of third parties. By implication a legitimate interest assessment would not be required if a recognised legitimate interest can be relied on. Nonetheless organisations may still need to conduct an assessment to demonstrate that their processing falls within the scope of a recognised legitimate interest.
  • Separately, the Act also includes examples of certain purposes that are likely to be within an organisation’s legitimate interests. These include intra-group transfers of personal data for administrative purposes and processing necessary for ensuring the security of network and information systems. Whilst this may give organisations greater confidence that they will be entitled to rely on the existing legitimate interest ground when using personal data in this way, unlike the "recognised legitimate interests", there is no indication that it would not still be prudent to conduct a legitimate interest assessment.
• International transfers - New rules on international transfers may facilitate transferring personal data internationally. In particular, the new rules introduce greater flexibility for the UK government to make adequacy regulations in respect of third countries, which may result in a greater number of these being made. These in general allow for an organisation to transfer personal data to the country that benefits from an adequacy regulation without having to take further steps. However, where a third country does not benefit from an adequacy regulation it will still generally be necessary to use standard contractual clauses and conduct a data protection test (currently a "transfer risk assessment").
• Purpose limitation - The Act contains new rules on how organisations can ensure that any new purpose that personal data is used for is compatible with the purpose for which it was collected, in compliance with the purpose limitation principle. In effect these rules closely align with existing ICO guidance, but place it on a statutory footing. When making a determination as to compatibility, organisations will be required to take into account a number of factors, for example the context in which the personal data was originally collected, and the existence of appropriate safeguards. In certain limited circumstances the new purpose will be deemed automatically compatible, such as where the data subject provides specified, explicit and legitimate consent to processing for the new purpose, or where the processing is necessary for protecting the vital interests of an individual. Care should be taken where consent was relied on to collect the personal data for the original purpose – in most circumstances it will still be necessary to obtain consent to processing for the new purpose.
• Automated decision making - The Act signals a move away from the general prohibition on solely automated decision making, including profiling, which produce legal effects on data subjects or similarly significantly affect them, save in specific narrow circumstances (significant decisions). Under new rules this will now be generally permitted (unless a significant decision is based, at least in part, on the use of special category personal data). However it will need to be ensured that specific safeguards, such as providing data subjects with the ability to make representations about the decisions, are applied.
• Data protection by design and default for children - Controllers of personal data that provide information society services (a term which covers most online services) to children will be required to take into account children’s higher protection matters, such as how they can best be protected and supported in using such services, in determining whether they ensure data protection by design and default. This is consistent with a general legislative trend – typified by the Online Safety Act 2023 - to place greater responsibility on online service providers to ensure the safety of their services (see our briefing on the Online Safety Act here).

Next steps

Organisations should review the impact that the Act will have on their existing data protection compliance operations and prepare for any necessary changes ahead of its implementation. Prudent steps might include:

• Reviewing existing compliance with PECR in light of increased fines for breaches.
• Reviewing cookie consent procedures, in particular whether certain types of cookies used will no longer require consent.
• Amending DSAR policies.
• Implementing policies and procedures for responding to data subject complaints.